Why adopt such a law as the November 2016 Cybersecurity Law, especially when heavy-handed restrictions already existed for users and companies alike in China?
This statement was originally published on hrw.org on 12 December 2016.
By Sophie Richardson, China Director
Do Chinese authorities need more laws to surveil people? From the earliest days of the Chinese Communist Party, authorities have kept the closest of eyes on all behavior for signs of dissent. At that time, party members were obliged to report on one another; during the Cultural Revolution, that grim responsibility was imposed on teachers, married couples, and even children. Whether through the street committee system, the dossiers kept by work units, or the police-run “grid system,” Beijing has demonstrated consistent zeal for vast, intrusive surveillance networks.
The Chinese government’s love-hate relationship with online speech is well-documented. Beijing has expanded connectivity primarily for economic reasons, but also as a means to monitor and control individual views. The government has prosecuted people, like Uighur economist and peaceful critic Ilham Tohti and human rights lawyer Pu Zhiqiang, for their online speech, adopted regulations setting out restrictions on content, and paid the “fifty-cent army” to steer online discussions to praise the government.
In the past year alone, authorities have issued multiple directives to gag online speech, such as criminalizing the “spreading of rumors” about natural disasters, and issuing new rules requiring app providers to keep user logs for 60 days to reduce the spread of “illegal information.” Recently, a leaked police report described virtual private networks (VPNs), widely used by businesses, journalists, and ordinary users to protect their privacy and evade the “Great Firewall,” as “terrorist software.”
Between July and October 2016 alone, authorities shut down seven web-based news channels of Sohu, Sina, Netease, and Ifeng; imposed new requirements on websites, including requiring staff to monitor content round the clock; closed the influential intellectual website Consensus for “transmitting incorrect ideas;” and issued new rules on live streaming platforms, requiring companies to monitor user content that threatens national security. Many domestic Internet companies employ hundreds of “censors” to proactively search for and restrict any user-generated content that could run afoul of broadly drawn censorship laws.
But the November 2016 Cybersecurity Law – which reflects the same obsession with national security as the new State Security Law, the Counterterrorism Law, and the Foreign NGO Management Law – breaks new ground.
First, it requires a range of companies – including international firms – in China to censor “prohibited” information and restrict online anonymity, including by demanding that companies require users to provide their real name and personal information to use their services. In the past, instant messaging services were exempt from real-name registration requirements, but the new law now changes that.
Second, the law now obliges “critical information infrastructure operators” to store users’ “personal information and other important business data” in China. The scope of this obligation is limited only to data that is related to a firm’s China operations, but the term “important business data” is undefined, and companies must still submit to a security assessment if they want to transfer data outside the country. The definition of “critical information infrastructure” remains vague and could encompass a broad range of companies.
Third, companies now have to monitor and report to the government undefined “network security incidents,” as well as provide undefined “technical support” to security agencies to aid in investigations, raising fears of increased surveillance. Network operators must retain network logs for at least six months and accept government “supervision.”
Fourth, the law explicitly prohibits individuals from using the Internet to “endanger national security, advocate terrorism or extremism, [or] propagate ethnic hatred and discrimination,” and “overthrowing the socialist system” and “fabricating or spreading false information to disturb economic order.” It also bans the use of the Internet “to incite separatism or damage national unity.” These crimes, some codified in criminal law, are regularly used to punish and jail peaceful activists and can result in lengthy sentences.
Finally, Article 46 of the final draft also prohibits individuals or groups from establishing “websites and communication groups” that are used for “spreading criminal methods” or “other information related to unlawful and criminal activities.” But as critical stories or protest are regularly criminalized in China, this article may encourage further self-censorship on social media.
The law does incorporate privacy protections for users regarding how private companies must safeguard their personal data or notify them of potential breaches or security vulnerabilities. However, the law fails to impose adequate protections for the right to privacy where security agencies monitor networks, investigate cybercrime, or access data held by companies.
While many of these measures are not new, most were previously only informally applied or defined in lower-level regulation. Elevating these powers in the Cybersecurity Law sends a signal that the government may enforce the requirements more strictly, leaving less leeway for tech companies to avoid implementation.
While many states are debating cybersecurity legislation, China’s law should be viewed within a legal framework, where threats to “information security” are defined broadly enough to include sharing information that diverges from official narratives, and where “preserving Internet sovereignty” is the overarching goal.
Why adopt such a law, especially when heavy-handed restrictions already existed for users and companies alike? Presumably Beijing wishes to create a veneer of legal legitimacy when it imprisons on-line critics or shuts down companies, and to extend into the digital realm sufficient uncertainty about what might or might not be legal to fuel self-censorship. As a government deeply hostile to the freedom of expression, privacy, and other human rights that protect on-line peaceful speech, Beijing has made its intentions ominously clear.